Does this mean my ISP is playing MITM (google.com signed by *.suddenlink.net)

So today when I got back from work I fired up my webmail - and was presented with a certificate error screen? I checked and it seems that google.com is now being signed by a DigiCert wildcart certificate issued to *.suddenlink.net.

I tried to log into the vpn connection page at work - the ASA ssl signon page showed up with an error - now signed by *.suddenlink.net. Bing.com was also similarly hijacked, as were google.com searches.

Wells Fargo, Providian, and Bank of America, and Ameritrade were *not* being hijacked.

Amazon.com is

Basically any non financial site I went to seemed to be signed by suddenlink.net.

I called up suddenlink and they suggested I just "accept the certificates". I told them that was unacceptable and they said they would call me back after escalating the issue....

I did accept the certificate provisionally only for https://www.ut.edu - on the off chance that they were trying to redirect me to some sort of error page. No joy, it presented the site as if everything was working - no account info redirection, etc. I also went to https://www.suddenlink.net -- no messages there - it of course worked just fine.

I see the same behaviour on 2 windows 7 boxes, a Solaris 11 box, a Mac Mini, an iPhone, and an Android tablet.

So I'm at a loss here - I'm waiting for support to "escalate and call me back" -- but am I miscontruing something here - it really looks like suddenlink is trying to do some sort of SSL monitoring/packet sniffing and has explicitly excluded "financial sites" -- but everything else is still now trying to be signed by them?

Suddenlink has somewhat of a bad track record for doing DNS hijacks, 404/error hijacking, etc. I wouldn't be surprised if they tried to do some very stupid SSL man in the middle for no apparent reason. If you have a router that acts as your DNS server for your network, try configuring it to use opendns or google DNS servers instead of the suddenlink ones that it is probably using now. Then make sure you clear the dns cache on your machines, or just reboot them/repair the network connections to see if that helps.

Good on you being a responsible Netizen, and not just blindly clicking through.

I would raise holy hell with them...because they ARE MITMing you...and that means they can decode your personal and financial transactions. Escalate with management, and tell them to fire whoever said "just accept the certificate."

Got a call back from suddenlink - they told me this was due to an "incompatibility with my cable modem" - a bog standard Motorola SB6121 - buy they had "worked it out anyway". Seriously.

Translation: somebody set us up the MITM attack. We didn't notice it, or understand it. If you hadn't complained and instead just blindly clicked through the warnings, you'd have all of your credentials and private account information absconded with by now.

Yes, this is a classic MITM attack. They are likely trying to do web filtering, acceleration, or something of the like and wanted to catch SSL traffic. Don't accept it and if any of them tell you it's a problem with your cable modem or some other such asinine thing, call them flat out liars.

I'm not a lawyer but it's at least possible that they are in violation of federal wiretap law unless they have some court order or request from a federal agency to do this. If you have the time, money, inclination, you could contact a lawyer, EFF, ACLU, or some such organization.

Yeah, you should probably let the EFF know - their SSL Observatory project deals with stuff like this. They also have a Firefox (and Chrome?) add-on which can automatically upload copies of certificates to their database.

This just happened to me today (Balch Springs/DFW). All of the https web sites I tried had a suddenlink.net cert, and all of my pings for those web sites pointed to 66.76.47.177. My first course of action was to switch to Google DNS (IP memorized, of course), and it went away. Then a google search for "dns hijack suddenlink" led me here.

I think I figured out what happened. On Firefox it makes a big deal out of the redirection, but when my wife tried it in Safari it simply took her to a Suddenlink notice. Apparently they instituted a new 250GB/month cap, and I exceeded it. I'm not sure why they only bothered to redirect https sites, though. Maybe it's just a coincidence.